TimsterMon / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

yarascan fails to ececute grep expression (attached) #522

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
If the following command line is executed on a Win7 Enterprise box using ver 
2.4 of Volatility:

W:\VOL_Analysis_Scripts>volatility.exe yarascan -f MemoryDump.bin 
--yara-rules="(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\x2e(25[0-5]|2[0-4][0-9]|[01
]?[0-9][0-9]?)\x2e(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\x2e(25[0-5]|2[0-4][0-9]
|[01]?[0-9][0-9]?)"  --kernel --profile=WinXPSP2x86

Nothing is found.  Note that if the MemoryDump.bin image used is mounted as a 
memory dump under X-Ways Forensics and the exact same grep string (as above) is 
used to perform a simultaneous search, thousands of matches are found.

So it appears that YaraScan has a problem parsing this grep expression to the 
point where it can be executed successfully as a "yara-rules" command.

FEEDBACK: It would be very helpful if yarascan had a default option to search 
for URLs and IPs such as --find_URLS and --find_IPs and output hits found as 
single line ASCII strings (no HEX).

Bill Spernow
bill.spernow@securitymentors.com

Original issue reported on code.google.com by Bill.Spe...@gmail.com on 3 Feb 2015 at 9:16

GoogleCodeExporter commented 9 years ago
Hi Bill, please note that yarascan is not a regular expression engine, it is a 
yara engine.  Yara accepts yara rules, which are not plain regular expressions. 
 Yara is capable of handling regular expressions, and you can find more 
information on how to do so at [1].  To allow quick use of these features, we 
allow regular expressions to be wrapped in /'s (so /<regexp>/), just like yara 
regular expressions.  The value itself is then inserted in a simple yara 
"strings" rule.  The same is true if a string literal is detected.  The only 
time we don't wrap everything in a strings rule is if a complete rule (starting 
with {) is provided.

You might also find the strings plugin a simpler mechanism for locating strings 
of a particular pattern in memory such as URLs or IPs, rather than having to 
write complete yara rules.

I'm going to mark this issue as won't fix, since it's not a volatility issue, 
and we try to mimic yara's syntax as closely as possible.

[1] http://yara.readthedocs.org/en/v3.2.0/writingrules.html#regular-expressions

Original comment by mike.auty@gmail.com on 3 Feb 2015 at 11:27

GoogleCodeExporter commented 9 years ago
Also, please file all new bugs on github as mentioned in issue 521.

Original comment by mike.auty@gmail.com on 3 Feb 2015 at 11:28

GoogleCodeExporter commented 9 years ago
Hi Bill, also note that the yarascan plugin can accept a yara rules file (which 
can, via include directives, include other yara rules files). So, instead of 
searching for individual criteria one at a time, you can dump the regex (after 
potentially fixing it to yara syntax) along with regexes for IPs, hostnames, AV 
signatures, etc, into a rule file and then scan for them all at once. 

By the way, yes, please file future issues at github...I'm surprised anyone saw 
this issue. 

Original comment by michael.hale@gmail.com on 3 Feb 2015 at 11:43

GoogleCodeExporter commented 9 years ago
Thanks for the insight and guidance.  Appreciate the help.  FYI: I was confused 
by the 4.2 Cheat Sheet for Volatility that seems to infer that, given the 
examples provided, for search options for URLs and IPs that yarascan does have 
full blown grep capability. Also, nowhere in the book "Memory Forensics" is 
there any advisement that yarascan's compatibilities are limited with respect 
to running grep like expressions as detailed in the bullets on page 211.

Original comment by Bill.Spe...@gmail.com on 4 Feb 2015 at 2:58